ITAD Data Security
Minimizing ITAD Data Security Risks
Recent events with the Morgan Stanley ITAD debacle have brought up some serious concerns about the potential security risks involved in the ITAD cycle. And the reality is, those concerns are justified. Improper handling and lack of oversight is a great way to expose sensitive consumer information and wind up with millions of dollars in settlements and a ton of bad press at your doorstep. There are ways to prevent an ITAD nightmare. How can you make sure this sort of thing doesn't happen to you?
Data Security is a big deal.
Many companies are making data security a top priority, and it’s not hard to see why. The exploitation of data and digital security vulnerabilities has been a serious problem for quite a while and is still on the rise. In fact, some estimate that cybercrime is up 600% since the beginning of the pandemic. With so many possible security issues potentially threatening organizations, why add to it with careless asset disposal services that could land you in a lot of hot water?
Even though data erasure and degaussing make up the foundation of ITAD practices, being vigilant about ensuring it is responsibly and properly done is essential. For competent and trustworthy ITAD providers, this is a no-brainer. They take it seriously, but you should, too.
ITAD Chain of Custody & Reporting
Chain of custody refers to the process of maintaining and documenting the handling of evidence. Basically, it’s a detailed record that shows where assets are, who is responsible for them, and any changes that have taken place. A solid chain of custody process is a key part of ITAD services. It can help minimize risks and reveal vulnerabilities in the security of your organization that can be addressed before there is an issue. Having a clear picture of where things are, who has them and who is responsible for the next step can save a lot of headaches.
Specifically for ITAD, a chain of custody log should include information like who collected, received, and disposed of the equipment as well as when the actions took place and how the data was deleted. Guidelines for erasing data from electronic storage were developed by the National Institute of Standards and Technology (NIST). Companies that follow the guidelines (NIST 800-88) provide documentation of data destruction also known as a Certificate of Destruction.
It's a good idea to find out what kinds of reporting your ITAD provider offers and if it will suit your needs. Will they give you a Certificate of Destruction? What other reports do they provide? Knowing what types of reports are available and how will they be delivered or accessed by your team is another step in making sure you will have documentation every step of the process.
Safe Asset Disposal
Erase Your Data
Data erasure is a foundational part of the process of decommissioning assets. Ignoring or being careless with this step makes disposing or reselling equipment a glaring security risk. Some organizations choose to take care of the data destruction in-house, and others prefer to have their vendor take care of that step.
Regardless of the route you decide to take, it's important to make sure it gets done. Like most things in life, there are pros and cons to both choices.
While in-house data destruction allows for complete control of the process, sometimes staff capabilities and/or available data erasure tools may be limited, leaving room for errors. Free data wiping software can leave some data intact, creating possible vulnerabilities. If you choose to have your vendor complete the data destruction process, find out what their process is and what certification and/or reporting they provide to prove they completed the task. Various methods are employed to erase data, and their effectiveness depends on the technology of device in question. Not paying attention to whether the data has been erased or not can damage your reputation and result in significant fines if it has not been done correctly.
Vet Your Vendor — Ask Questions
We always advocate for people to ask questions and understand the contracts being signed and the services that will be provided. That goes for anything, but especially in the IT industry where sometimes the jargon and technical details can be complicated, it's especially important. I know it seems easiest to just go with a provider who will save your bottom line, but it's worthwhile to take the time to investigate your vendor.
What services do you offer? Getting a full rundown on the ITAD services the vendor provides will help you determine if it will meet your needs and that you won't need to find additional vendors to complete your tasks.
Tell me about your certifications and reporting process. This part of the conversation is essential and helps you to understand the vendor's processes and guidelines. Do they follow NIST 800-88 guidelines? Do they use DoD 5220.22M standards for data erasure? Will you be given a Certificate of Destruction? What reports are offered? These sorts of questions can and should be answered during the vetting process.
How is equipment disposed of that can't be resold? Sometimes devices truly are at the end of their life and need to be disposed of. Certifications such as e-Stewards ensure that ethical and environmentally responsible recycling practices are carried out. Discuss with your provider what their process entails.
What kind of support can I expect to receive with ITAD services? Of course, every company talks about their customer service, but the truth comes out when you need something or have an issue. Get a feel for the vendor's communication style. Are they easy to get a hold of? Do they answer promptly and communicate clearly? Great support can make all the difference and be an indicator of other areas of their business.
So you’ve found an ITAD provider you can trust. You sign an agreement with them. Now they will take care of the rest, and you can forget about it, right? Wrong. While it might be tempting to have a set it and forget it mentality, the burden of responsibility still lies with the organization until there is proof of a successful transfer to the vendor. Verify. Verify. Verify.
Yes, it does take extra time to check all the certifications and reports to ensure all the proper steps were followed, but it is worth it! No one wants to face data mismanagement fines and be accused of failing to exercise proper oversight!
Let M Global Help
Contact us if you'd like to find out more about how we can help ensure that your assets are disposed of safely and responsibly. We encourage questions and would love to have a conversation with you about your ITAD needs. We're happy to assist you, and will work with you to find the best option for your unique IT environment!
Written by Angie Stephens with contributions from M Global team members including SMEs, management executives, and more.